Bitwarden moves to secure encryption design

Share post:

Bitwarden, a password vault vendor, has improved the mechanism’s default security configuration in response to increased condemnation of the encryption technique it employs to safeguard users’ secret encryption keys.

The number of PBKDF2 hash iterations used to compute the decryption key for a user’s password vault is criticized as being excessive. The media has mostly repeated the assertion that the data is protected by 200,001 PBKDF2 iterations: 100,001 on the client side and 100,000 on the server.

Furthermore, the server-side iterations are designed in such a way that they offer no security benefit. On the client side, 100,000 iterations are still available. Server-side iterations, according to critics, are also ineffective. Older accounts are locked into much lower security settings unless they manually increase iterations on their settings.

In this scenario, OnOAWSP recommends using the PBKDF2 algorithm with random salts, SHA-256, and 600,000 iterations (a figure recently increased from the previous recommendation of 310,00 rounds).

All of these criticisms are directed at Bitwarden, which is seen as a credible alternative to LastPass in the aftermath of its breach, and it is critical to provide a more secure credible alternative without fear of being breached.

Bitwarden has since begun to treat these criticisms as feature requests.

The sources for this piece include an article in Portswigger.

SUBSCRIBE NOW

Related articles

Russian State-Backed Cyber Attack Exploits Zero-Day Vulnerabilities in Windows and Firefox

Headline: A sophisticated cyberattack leveraging two chained zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows has been confirmed by...

Starbucks Forced to Pay Baristas Manually After Ransomware Attack

A ransomware attack on Blue Yonder, a third-party scheduling software provider, has disrupted Starbucks’ ability to manage employee...

Google Launches Free Cybersecurity Certificate for Entry-Level Jobs

Google has introduced a new Cybersecurity Professional Certificate, aimed at preparing students for entry-level roles in just six...

Critical Vulnerability Leaves Millions Of Sites Vulnerable To Takeover

A severe authentication bypass vulnerability has been discovered in the WordPress plugin "Really Simple Security" (formerly *Really Simple...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways